Security Update
Notable items:
* http: Fix a bug where an HTTP socket may no longer have a socket
but a pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.2e, containing fixes for:
- CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
an attack is considered feasible against a Node.js TLS server using
DHE key exchange. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
- CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
a potential denial-of-service vector for Node.js TLS servers; TLS
clients are also impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
(Shigeki Ohtsu) #4134
* v8: Backport fixes for a bug in `JSON.stringify()` that can result
in out-of-bounds reads for arrays. (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/12
Security Update
Notable items:
* http: Fix a bug where an HTTP socket may no longer have a socket but a
pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194
"Certificate verify crash with missing PSS parameter", a potential
denial-of-service vector for Node.js TLS servers; TLS clients are also
impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133
PR-URL: https://github.com/nodejs/node-private/pull/13
Security Update
Notable items:
* build: Add support for Microsoft Visual Studio 2015
* npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as
part of the strategy to get a version of npm into Node.js v0.10.x that
works with the current registry
(https://github.com/nodejs/LTS/issues/37). This version of npm prints
out a banner each time it is run. The banner warns that the next
standard release of Node.js v0.10.x will ship with a version of npm
v2.
* openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194
"Certificate verify crash with missing PSS parameter", a potential
denial-of-service vector for Node.js TLS servers; TLS clients are also
impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis)
#4133
PR-URL: https://github.com/nodejs/node-private/pull/15
PR-URL: https://github.com/nodejs/node/pull/4138
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Minwoo Jung <jmwsoft@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Original commit message:
[tools] Make gen-postmortem-metadata.py more reliable
Instead of basing matches off of whitespace, walk the
inheritance chain and include any classes that inherit
from Object.
R=machenbach@chromium.org,jkummerow@chromium.org
NOTRY=true
Review URL: https://codereview.chromium.org/1435643002
Cr-Commit-Position: refs/heads/master@{#31964}
This adds some missing classes to postmortem info like
JSMap and JSSet.
Ref: https://github.com/nodejs/node/pull/3792
PR-URL: https://github.com/nodejs/node/pull/4106
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: targos - Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: rvagg - Rod Vagg <rod@vagg.org>
Original commit message:
This commit adds some postmortem data that is otherwise unavailable.
I have discovered need in those values when writing:
https://github.com/indutny/llnode
BUG=
Review URL: https://codereview.chromium.org/1436473002
Cr-Commit-Position: refs/heads/master@{#31947}
This postmortem information is useful for both object inspection, and
function's context variables inspection.
Ref: https://github.com/nodejs/node/pull/3779
PR-URL: https://github.com/nodejs/node/pull/4106
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: targos - Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: rvagg - Rod Vagg <rod@vagg.org>
Backport 1ee712ab8687e5f4dec93d45da068d37d28feb8b from V8 upstream.
Original commit message:
Add SetAbortOnUncaughtExceptionCallback API
The --abort-on-uncaught-exception command line switch makes
Isolate::Throw abort if the error being thrown cannot be caught by a
try/catch block.
Embedders may want to use other mechanisms than try/catch blocks to
handle uncaught exceptions. For instance, Node.js has "domain" objects
that have error handlers that can handle uncaught exception like
following:
var d = domain.create();
d.on('error', function onError(err) {
console.log('Handling error');
});
d.run(function() {
throw new Error("boom");
});
These error handlers are called by isolates' message listeners.
If --abort-on-uncaught-exception is *not* used, the isolate's
message listener will be called, which will in turn call the domain's
error handler. The process will output 'Handling error' and will exit
successfully (not due to an uncaught exception). This is the behavior
that Node.js users expect.
However, if --abort-on-uncaught-exception is used and when throwing an
error within a domain that has an error handler, the process will abort
and the domain's error handler will not be called. This is not the
behavior that Node.js users expect.
Having a SetAbortOnUncaughtExceptionCallback API allows embedders to
determine when it's not appropriate to abort and instead handle the
exception via the isolate's message listener.
In the example above, Node.js would set a custom callback with
SetAbortOnUncaughtExceptionCallback that would be implemented as
following (the sample code has been simplified to remove what's not
relevant to this change):
bool ShouldAbortOnUncaughtException(Isolate* isolate) {
return !IsDomainActive();
}
Now when --abort-on-uncaught-exception is used, Isolate::Throw would
call that callback and determine that it should not abort if a domain
with an error handler is active. Instead, the isolate's message listener
would be called and the error would be handled by the domain's error
handler.
I believe this can also be useful for other embedders.
BUG=
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/1375933003
Cr-Commit-Position: refs/heads/master@{#31111}
Ref: #3036
Ref: https://github.com/nodejs/node/pull/3481
PR-URL: https://github.com/nodejs/node/pull/4106
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: targos - Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: rvagg - Rod Vagg <rod@vagg.org>
test-http-exit-delay was introduced to confirm the removal of a 1 second
delay that can occur when exiting node after an http request.
This change refactors the test for simplicity and also in the hopes of
either eliminating flakiness on CI or, if not that, at least making
the source of the flakiness easier to track down.
Ref: https://github.com/nodejs/node/commit/16b59cbc
Fixes: https://github.com/nodejs/node/issues/4045
PR-URL: https://github.com/nodejs/node/pull/4055
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
As of 34b535f4c, test-child-process-flush-stdio was failing
on CentOS 5 systems in CI due to the change in stream state
checking in `child_process`. This commit fixes those failures
by making readable streams less eager in setting their readable
flag on EOF.
Fixes: https://github.com/nodejs/node/issues/4125
PR-URL: https://github.com/nodejs/node/pull/4141
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/4143
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Colin Ihrig <http://www.cjihrig.com>
Reviewed-By: Kat Marchán <kzm@sykosomatic.org>
Reviewed-By: James M Snell <jasnell@gmail.com>
Charter for the HTTP Working Group
PR-URL: https://github.com/nodejs/node/pull/3919
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
PR-URL: https://github.com/nodejs/node/pull/4054
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
* add backticks around names
* add single quotes around event names
* add parenthesis after function names
* add internal links between different sections
* add external links to MDN for some JavaScript references
* sort the link definitions alphabetically
PR-URL: https://github.com/nodejs/node/pull/4054
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
test-net-socket-local-address had a race condition that resulted in
unreliability on FreeBSD and Windows. This changes fixes the issue.
Fixes: https://github.com/nodejs/node/issues/2475
PR-URL: https://github.com/nodejs/node/pull/4109
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
trivial commit to fix a couple inconsistent references to
the name of the project
PR-URL: https://github.com/nodejs/node/pull/4136
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Roman Klauke <romaaan.git@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
This just replaces all sources of openssl-1.0.2e.tar.gz into
deps/openssl/openssl
deps: copy all openssl header files to include dir
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
deps: fix openssl assembly error on ia32 win32
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .
deps: fix asm build error of openssl in x86_win32
See
https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html
node needs to stop using masm and move to nasm or yasm on Win32.
openssl: fix keypress requirement in apps on win32
Reapply b910613792 .
deps: add -no_rand_screen to openssl s_client
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
deps: update openssl config files
Regenrate config files for supported platforms with Makefile.
deps: update openssl asm and asm_obsolete files
Regenerate asm files with Makefile and CC=gcc and ASM=gcc where
gcc-4.8.4. Also asm files in asm_obsolete dir to support old compiler
and assmebler are regenerated without CC and ASM envs.
PR-URL: https://github.com/nodejs/node/pull/4134
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Prevent OpenSSL's fipsld from being used to link native modules
because this requires the original OpenSSL source to be
available after Node's installation.
Fixes: https://github.com/nodejs/node/issues/3815
PR-URL: https://github.com/nodejs/node/pull/4023
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
The current implementation of tests for strings with length at or
exceeding kStringMaxLength allocate a temporary buffer inside a try
block to skip the test if there is insufficient memory. This commit adds
an invocation of the garbage collector after the temporary buffer is
allocated so that memory is freed for later allocations.
Change the corresponding catch block to rethrow the original exception
instead of asserting the exception message to provide more information
about the exception.
Add an additional check before trying to allocate memory to immediately
skip the test on machines with insufficient total memory.
PR-URL: https://github.com/nodejs/node/pull/3697
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
The CoC requests to avoid the casual use of profanity.
PR-URL: https://github.com/nodejs/node/pull/4122
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: targos - Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
These properties were initially used to determine stream status
back in node v0.8 and earlier. Since streams2 however, these
properties were *always* true, which can be misleading for
example if you are trying to immediately determine whether
a Writable stream is still writable or not (to avoid a "write after
end" exception).
PR-URL: https://github.com/nodejs/node/pull/4083
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
This commit fixes two issues in test-cluster-disconnect-handles:
1. If the master's TCP connection to the worker fails, the worker
process stays alive and causes many other tests that use the same
common port number to also fail (with EADDRINUSE).
2. One particular problem that can cause the master's TCP connection
to fail is attempting an IPv6 connection to the worker when no IPv6
network interfaces are available.
PR-URL: https://github.com/nodejs/node/pull/4084
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Determine object types of regular expressions, Dates, Maps, and
Sets in the C++ layer instead of depending on toString()
behavior in JavaScript.
PR-URL: https://github.com/nodejs/node/pull/4100
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
ES6 arrow functions are much more efficient than `.bind()` functions.
PR-URL: https://github.com/nodejs/node/pull/4038
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
34a35919e1 added pretty printing for
TypedArray, ArrayBuffer, and DataView. This change allows inspecting
those across different contexts.
Since instanceof does not work across contexts, we can use
v8::Value::IsTypedArray, v8::Value::IsArrayBuffer, and
v8::Value::IsDataView
PR-URL: https://github.com/nodejs/node/pull/4098
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
When writing multiline input, one can't chain function calls as if the
lines begin with a period, since those are treated as REPL commands.
Before:
> ([0, 1, 2]
... .map(x => x + 1))
Invalid REPL keyword
After:
> ([0, 1, 2]
... .map(x => x + 1))
[ 1, 2, 3 ]
PR-URL: https://github.com/nodejs/node/pull/3835
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Sometimes the test was timing out because the worker process remained
stuck in the breakpoint and didn't exit. This could happen because the
continue was sent before the breakpoint was set. If that's the case,
with this change, a new continue command is sent so the worker process
can end.
PR-URL: https://github.com/nodejs/node/pull/4009
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The algorithm used to convert negative values to hex generates incorrect
values when the low byte(s) of the value are zero because a carried
subtraction is applied prematurely.
Fixes: https://github.com/nodejs/node/issues/3992
PR-URL: https://github.com/nodejs/node/pull/3994
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Signed-off-by: Peter A. Bigot <pab@pabigot.com>
It also tests displayPrompt by checking for '> '.
PR-URL: https://github.com/nodejs/node/pull/3908
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
PR-URL: https://github.com/nodejs/node/pull/4089
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
When a client calls read() with a nonzero argument
on a Socket, that Socket sets this._consuming to true.
It never sets this._consuming back to false.
ChildProcess.flushStdio() currently doesn't flush
any streams where _consuming is truthy. But, that means
that it never flushes any stream that has ever been read from.
This prevents a child process from ever closing if one of
its streams has been read from, causing issue #4049. This
commit allows consuming streams to be flushed, and the
child process to emit a close event.
Fixes: https://github.com/nodejs/node/issues/4049
PR-URL: https://github.com/nodejs/node/pull/4071
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
These new checks are similar to the one introduced in 089d68861,
but for other types of objects. Specifically, if an object was
created in a different context, the constructor object will not be
the same as the constructor object in the current context, so we
have to compare constructor names instead.
PR-URL: https://github.com/nodejs/node/pull/3385
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
A value shouldn't be described as doing inherit from some class, more
strictly, the value is an instance of the class `Error`.
PR-URL: https://github.com/nodejs/node/pull/3658
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Stephan Belanger <admin@stephenbelanger.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Move the method that was added in commit 8ca412b from earlier this month
from lib/util.js to lib/internal/util.js.
Avoids exposing a method that we may not wish to expose just yet, seeing
how it relies on implementation details.
PR-URL: https://github.com/nodejs/node/pull/4026
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Remove a hack that was introduced in commit bb6d468d from November 2010.
This is groundwork for a follow-up commit that makes it possible to use
internal modules in lib/repl.js.
PR-URL: https://github.com/nodejs/node/pull/4026
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Links nested in backticks were not visually distinguishable before, this
fixes them.
PR-URL: https://github.com/nodejs/node/pull/4068
Reviewed-By: Roman Reiss <me@silverwind.io>
Make the win32 and posix versions of path.format() consistent in when
they add a directory separator between the dir and base parts of the
path (always add it unless the dir part is the same as the root).
Also, path.format() is now more functional in that it uses the name
and ext parts of the path if the base part is left out and it uses
the root part if the dir part is left out.
Reviewed-By: João Reis <reis@janeasystems.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/2408